There is something I don't get, one of my web apps has a small form that allows you to enter you name and email address to "subscribe" to a user list for a site I maintain. The site is very low traffic, and only useful to a very small number of people that live in a very small town..it would be of no interest to anyone else.

Yet, every day, sometimes many times per day, someone (or a bot) is entering fictitious names and probably bogus email addresses into the form.

This form is not even active on my site anymore, it just happens to still exist as an orphaned page on my IIS directory (which tells me that someone is searching for these types of forms via Google, because there is no path to this form if you come in thru the default page.

This is not a big hassle for me, I can solve the problem with captcha, but what I don't understand is for what purpose would someone setup a bot to repeatedly fill in forms? I figure there must be a reason, but for the life of me don't know why?

8 Answers
8

These are bots trying to send you spam, or worse, trying to exploit your contact form to send spam to others.

For example, there are several well-known exploits for the PHP mail() command commonly used by contact forms that can cause the TO address you put in your code to be overwritten by POSTed data, if you aren't careful how you handle the data coming in from your form.

Some ways to prevent this:

Use a captcha. For a low traffic site, even a static captcha (an image that just has the same text in it every time) will work very well.

Check the HTTP referrer to make sure the POST is coming from your contact form. Many bots will spoof this though, so it isn't terribly useful.

Use hidden form fields to try to trick the bots. For example, create a field called "phone_number" on your form, and hide it with CSS in your stylesheet (display: none). A bot will normally fill in that field (they usually fill in all fields to avoid possible required-field validation errors) but a user would not, since it's hidden. So on POST you check for a value in that field and SILENTLY fail to send the message if there is a value in it. I find that this method alone is highly effective.

If you use a hidden field, I suggest naming it something less common. I've encountered browser toolbars in the wild that attempt to helpfully fill out forms automatically -- even hidden fields!
–
EliJan 4 '13 at 3:25

These bots are blindly trying every form they find in order to send spam mail. Some of them may have historical data of forms and even if it's not currently listed on search engines, these bots can post data to that URL.

Let's say a web site contains a HTML form for sending a recommendation to a friend, typically "Tell a fried" or "Send greeting card", which is not protected by a CAPTCHA image, for example. A bot could use the form to send thousands of spam emails using your SMTP server.

If the bot is coming from the same IP address, you could block that address on IIS or on your firewall.

A simple fix for this can changing the names on the forms. Bots crawl using google, and look for common form and field names like address or recipient. Change these to something a bit more obscure, and you're less likely to get any spam on them.
–
DentrasiJun 25 '09 at 15:25

Less likely, but it can still happen. I've seen forms with obscure names on obscure fora still get hit with spambots.
–
WardJun 25 '09 at 15:39

We really do prefer that answers have content, not pointers to content. This may theoretically answer the question however, it would be preferable to include the essential parts of the answer here, and provide the link for reference. Thank you!
–
Chris S♦Apr 4 '13 at 12:42

And the reason for the above is exactly what's happened, your link is no longer valid thus making your answer nearly useless.
–
aslumJan 5 at 21:20

Welcome to Server Fault! We really do prefer that answers have content, not pointers to content. This may theoretically answer the question however, it would be preferable to include the essential parts of the answer here, and provide the link for reference. This post will be removed if not improved. Thank you!
–
Chris S♦Apr 4 '13 at 12:41

1

I'm sorry? Did you realize that this answer is 3 years old?
–
RateControlApr 16 '13 at 20:13